Mapping domain admins AD group to jira-administrators

JiraYo
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 8, 2017

Hey there, i cant pick groups in the "bulk edit group members" section.

 

What i want to achieve, is to have anyone in the 'domain admins' group in active directory automatically become a member of jira-administrators local group.

 

obviously this could be expanded to include all 'domain users' being members of the lowest level group (jira servicedesk users maybe) so that they can submit requests. I mean thats the next step. however it seems local groups, i have to add them one by one.

I want to minimize how much i have to fiddle with the built in groups and would rather use AD which is already segmented into groups, for assigning user permissions. I am not seeing how to do that. I can assign groups to "roles" and "global permissions" however i wanted to just inherit all the permissions that (for example) jira-administrators already has.

For example, jira administrators is already a member of every group on the global permissions page, but if i wanted to add "domain admins" to every group, i would have to add it manually. Much easier if i could just add "domain admins" to the "jira-administrators" group and have it inherit. Especially since i am not sure where else 'jira-administrator' may have permissions that i really want domain admins to have access to.

 

In our corp, domain admins only has two users, so i can manually add them as individual users to the 'jira-administrators' group, but for something like 'domain users' has hundreds, and i wont be adding them all manually to any group.

 

please advise thanks

 

1 answer

1 vote
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 8, 2017

With SAML and ADFS this can be easily achieved. 

ADFS: "Send group memberships as a claim"

Select the group to be sent as an outgoing claim, e.g. domain admins, then outgoing claim value: jira-administrators.

Really the same for domain users -> jira-users.

Cheers,

Lars

JiraYo
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 8, 2017

sorry do you have some kind of document about this? where is that setting on the backend? I dont see anything about it in user directories.

 

thanks for your reply.

Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 8, 2017

This can be achieved with ADFS (and probably other IDP`s as well) and any SAML provider that support group claims.

I work with Kantega Single Sign-on, but there are many vendors to choose from:

https://marketplace.atlassian.com/search?query=saml

 

-Lars

Mitchel van Zitteren May 3, 2020

Hello Lars,

I have attempted the following:

With SAML and ADFS this can be easily achieved. 

ADFS: "Send group memberships as a claim"

Select the group to be sent as an outgoing claim, e.g. domain admins, then outgoing claim value: jira-administrators.

Really the same for domain users -> jira-users.

 

This does not seem to work. The specified active directory is not mapped to the configured Jira-group and members are not beeing added.

Are you sure this is supported and if so, can you please provide a more detailed instruction?

Thank you in advance.

Suggest an answer

Log in or Sign up to answer